Security & Privacy Management Don't Have To Be Hard

Can You Honestly Answer HOW Privacy or Security Are Implemented At Your Organization?

When you "peel back the onion" and prepare for an audit, there is a need to address "the how" for certain topics, such as how Security by Design (SbD) and Privacy by Design (PbD) principles are managed. While policies and standards are designed to describe WHY something is required and WHAT needs to be done, many companies fail to create documentation to address HOW the policies and standards are actually implemented. We did the heavy lifting and created a program-level document to address this need and the Security & Privacy by Design (SPBD) is that solution.

If you can use Microsoft Word and Excel, then you can perform both Security by Design (SbD) and Privacy by Design (PbD) by simply following the instructions and editing the template to suit your specific requirements. While this is a template, we did the hard work of creating the formatting, bringing together the correct scope of information that needs to be addressed!

Click on the image below to open a PDF document that shows you what the Security & Privacy By Design (SPBD) contains, as well as a look at the worksheets used to generate the checklist.

Editable Excel Checklists

Click For An Example

Editable Excel Checklists

Click For An Example

The main SPBD document is an editable Microsoft Word document.

It is written at a program-level to provide direction and authority.

Defines how both Security by Design (SbD) and Privacy by Design (PbD) are going to be operationalized.

The SPBD comes with editable “paint by numbers” checklists for managing both privacy and security lifecycles.

Security checklists are based on NIST 800-160.

Privacy checklist is based on the OASIS Privacy Management Reference Model and Methodology (PMRM).

Security by Design (SbD) requirements come from numerous sources. In this context, the most important are:

International Organization for Standardization (ISO)

National Institute for Standards & Technology (NIST)

US Government (HIPAA & FedRAMP)

Information Systems Audit and Control Association (ISACA)

Cloud Security Alliance (CSA)

Center for Internet Security (CIS)

Open Web Application Security Project (OWASP)

Privacy by Design (PbD) requirements come from numerous sources. In this context, the most important are:

Fair Information Practice Principles (FIPPs)

European Union (EU) General Data Protection Regulation (GDPR)

Organization for the Advancement of Structured Information Standards (OASIS)

International Organization for Standardization (ISO)

National Institute for Standards & Technology (NIST)

Information Systems Audit and Control Association (ISACA)

US Government (HIPAA & FTC Act)

Central to Cybersecurity For Privacy By Design Requires Leveraging Common Touch Points

Unfortunately, most companies fail to see the common touch points that exist in both project lifecycles and this can lead to either gaps in coverage or duplication of efforts. Through our experience in cybersecurity and privacy, we understand these touch points and call those out to enable a "paint by numbers" approach to baking in both cybersecurity and privacy controls into development and project management processes.

This is where aligning your company’s Security by Design (SbD) efforts with the Risk Management Framework (RMF) (e.g., NIST 800-37) can be very beneficial, since the RMF provides a well-established format to securely engineer and maintain systems throughout the entire life cycle of the asset. Utilizing common linkages, Privacy by Design (PbD) is incorporated into the RMF cycle.

"Paint By Numbers" Approach To Cybersecurity & Privacy Requirements

What we've done is simply handle the heavy lifting to integrate security and privacy controls into standard project management processes. This allows your teams to have a "paint by numbers" approach to demonstrating that both cybersecurity and privacy principles are baked into the process! We identified the stages where both cybersecurity and privacy requirements are expected as part of project development. This can enable your teams to work more effectively together and reduce the negative effect of teams working in silos.

All too often, when projects are commenced, involvement from key stakeholders is siloed, as compared to operating as a cohesive team. We want to help your company avoid the following security & privacy pitfalls where:

Project / application teams work in a vacuum, unaware of security or privacy concerns;

Privacy and security conduct their own assessments without any information sharing or collaboration; and

Security involvement is viewed as a final hurdle to overcome, just prior to “go live” for the project.

Sign up for our Newsletter!

This website is designed for educational and reference purposes only. It does not render professional services advice and is not a substitute for dedicated professional services. If you have compliance questions, you should consult an information security professional to discuss your specific needs.

ComplianceForge disclaims any liability whatsoever for any documentation, information, or other material which is or may become a part of the website; and does not warrant or guarantee that the information will not be offensive to any user. User is hereby put on notice that by accessing and using the website, user assumes the risk that the information and documentation contained in the web site may be offensive and/or may not meet the needs and requirements of the user. The entire risk as to the use of the website is assumed by the user.